[Samba] Demote a samba DC and rejoin as member

[Andreas Heinlein]

Hello,

I had tried to demote a samba DC and re-join it as a member over the
weekend, but something went horribly wrong.

Starting point was a samba DC which also acted as a file server. It was
the single DC in that domain.

I first set up a Windows 2008 R2 machine and promoted it to DC within
the same domain. I then changed DNS entries on all machines to point to
the new DC, transferred the FSMO roles to the new DC. Up to that point,
everything worked OK for a week. Yesterday, I demoted the samba DC as
lined out in the wiki, and then joined it again to the domain as a
member after adjusting smb.conf. I followed the steps for provisioning a
new samba server as a domain member. Joining worked, but shortly
afterwards the whole domain stopped working.

Logging in from a windows workstation was possible (I assume through
cached credentials), but access to shares on the samba server as well as
another Windows 2008 member server in the same domain did not;
DNS-Server on the Windows DC did not start because it couldn't establish
a connection to AD, AD service complained it could not locate the global
catalog, dcdiag showed all sorts of problems. As I was unable to resolve
this using my - limited - windows server skills, I finally trashed the
windows DC and restored the samba private dir and smb.conf from a backup
before demotion, so it was now a DC again. I seized the FSMO roles and
now everything seems to work again.

I do not want to go into the details of what went wrong. My question is
- I overlooked to things when re-joing the samba server as a member:
1.) I left share definitions for netlogon and sysvol in the smb.conf
2.) I left the samba private dir as is after demotion

Could these be the cause of these problems? I should have probably
started out with an empty private dir or even complete /var/lib/samba as
in a fresh installation, I guess. Is there anything else to consider
when demoting and re-joining as a member?

Thanks,
Andreas